In my company we have an Fortigate 100d can someone please help me so that i can isolate this ports due to the ransomware attack that happened the last days.
Thank you very much.
Solved! Go to Solution.
hi,
Fortinet has communicated that they have issued an AV signature update for this, as well as an IPS signature. In fact, there are 2 IPS signatures related to MS 17-010.
This is the IPS sensor in CLI:
config ips sensorThe first one is a filter set to block. The second is a rate limited signature which is set to trigger on the first appearance.
edit "WannaCry"
set comment "20170515 block Wannacry/EternalBlue trojan"
config entries
edit 1
set rule 43796
set status enable
set action block
set rate-count 1
set rate-duration 5
next
edit 2
set rule 43797
set status enable
set action block
next
end
next
end
So, instead of completely blocking SMB you can insert an IPS profile with this sensor to protect your clients' network shares.
Note that not only Windows Server OS is affected but Windows 7, 8, 8.1 client OS.
hi,
Fortinet has communicated that they have issued an AV signature update for this, as well as an IPS signature. In fact, there are 2 IPS signatures related to MS 17-010.
This is the IPS sensor in CLI:
config ips sensorThe first one is a filter set to block. The second is a rate limited signature which is set to trigger on the first appearance.
edit "WannaCry"
set comment "20170515 block Wannacry/EternalBlue trojan"
config entries
edit 1
set rule 43796
set status enable
set action block
set rate-count 1
set rate-duration 5
next
edit 2
set rule 43797
set status enable
set action block
next
end
next
end
So, instead of completely blocking SMB you can insert an IPS profile with this sensor to protect your clients' network shares.
Note that not only Windows Server OS is affected but Windows 7, 8, 8.1 client OS.
Don´t forget "DoublePulsar" and set it to RDP on port 3389 ;)
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Selective wrote:Don´t forget "DoublePulsar" and set it to RDP on port 3389 ;)
Good morning mate, thanks for advice!! How can i do that and how can i apply it to my local Lan configuration???
Cheers mates.
You can only block this if you traffic is going through the firewall.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
@Lyberis: there's an IPS signature for "DoublePulsar" as well.
In the CLI the IPS sensor would look like:
config ips sensor
edit "WannaCry"
set comment "20170517"
config entries
edit 1
set rule 43797 43796 43963
set status enable
set action block
next
end
next
end
where 43963 is the signature ID for "Backdoor.DoublePulsar".
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.